Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The policy evaluation completed log is incorrect for response evaluation #210

Closed
davidebianchi opened this issue Jun 28, 2023 · 0 comments · Fixed by #212
Closed

The policy evaluation completed log is incorrect for response evaluation #210

davidebianchi opened this issue Jun 28, 2023 · 0 comments · Fixed by #212
Assignees
@fredmaggiowski
Labels
bug Something isn't working

Comments

@davidebianchi
Copy link
Member

Describe the bug

When it's used a policy to filter a response body, in log allowed field is set to false, also if all works correctly.
An example log for the policy foo is:

{"allowed":false,"evaluationTimeMicroseconds":123,"level":20,"matchedPath":"/api/","method":"GET","msg":"policy evaluation completed","partialEval":false,"policyName":"foo","reqId":"req-id","requestedPath":"/api/"}

Expected behavior

We expect a more correct information. Allowed false is the output from opa, but from rond this is evaluated as allowed and change the response body.

Replication info

There are the SDK tests which highlight this behaviour:

rond/core/sdk_test.go

Lines 600 to 620 in 7d71122

t.Run("logger", func(t *testing.T) {
var actual *logrus.Entry
for _, entry := range hook.AllEntries() {
if entry.Message == "policy evaluation completed" {
actual = entry
}
}
evaluatorInfo := evaluate.(evaluator)
require.NotNil(t, actual)
delete(actual.Data, "evaluationTimeMicroseconds")
require.Equal(t, logrus.Fields{
"allowed": false,
"requestedPath": testCase.path,
"matchedPath": evaluatorInfo.evaluatorOptions.RouterInfo.MatchedPath,
"method": testCase.method,
"partialEval": false,
"policyName": evaluate.Config().ResponseFlow.PolicyName,
"resultsLength": 1,
}, actual.Data)
})

@davidebianchi davidebianchi added the bug Something isn't working label Jun 28, 2023
fredmaggiowski added a commit that referenced this issue Jun 28, 2023
@fredmaggiowski
fix(#210): allowed value simplification
70fe1a9
@fredmaggiowski fredmaggiowski self-assigned this Jun 28, 2023
@davidebianchi davidebianchi linked a pull request Jun 28, 2023 that will close this issue
fix(#210): allowed value log in response policy evaluation #212
Merged
2 tasks
fredmaggiowski added a commit that referenced this issue Jun 30, 2023
@fredmaggiowski @davidebianchi
fix(#210): allowed value log in response policy evaluation (#212)
d6af895 
* fix(#210): allowed value simplification

* refactor: use allowed-inspired func

* fix: lax allowed evaluator for logging purposes

* refactor: removed useless log

* refactor: typo and better comment

* refactor: use empty

Co-authored-by: Davide Bianchi <10374360+davidebianchi@users.noreply.github.com>

* refactor: removed lax allow and reworked results processing to fit allowed eval

---------

Co-authored-by: Davide Bianchi <10374360+davidebianchi@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fredmaggiowski fredmaggiowski

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(#210): allowed value log in response policy evaluation rond-authz/rond
2 participants
@fredmaggiowski @davidebianchi